Merge branch 'release/2.3.0'

Release Infection Monkey v2.3.0

.pre-commit-config.yaml

@@ -28,6 +28,7 @@ repos:
       - id: check-json
       - id: check-merge-conflict
       - id: detect-private-key
+        exclude: "envs/monkey_zoo/blackbox/expected_credentials.py"
       - id: end-of-file-fixer
       - id: trailing-whitespace
   - repo: https://github.com/eslint/eslint

CHANGELOG.md

@@ -5,12 +5,54 @@ file.
 The format is based on [Keep a
 Changelog](https://keepachangelog.com/en/1.0.0/).
 
-## [2.1.1 - 2023-06-21]
+## [2.3.0 - 2023-09-19]
+### Added
+- Ability to filter Agent events by timestamp. #3397
+- Ability to filter Agent events by tag. #3396
+- Provide a common server object to the plugins that can be used to serve agent
+  binaries to the exploited machine over HTTP. #3410
+- CPUConsumptionEvent. #3411
+- RAMConsumptionEvent. #3411
+- HTTPRequestEvent. #3411
+- DefacementEvent. #1247
+- RDP exploiter plugin. #3425
+- A cryptojacker payload to simulate cryptojacker attacks. #3411
+- `PUT /api/install-agent-plugin`. #3417
+- `GET /api/agent-plugins/installed/manifests`. #3424
+- `GET /api/agent-plugins/available/index`. #3420
+- `POST /api/uninstall-agent-plugin` # 3422
+- Chrome credentials collector plugin. #3426
+- A plugin interface for payloads. #3390
+- The ability to install plugins from an online repository. #3413, #3418, #3616
+- Support for SMBv2+ in SMB exploiter. #3577
+- A UI for uploading agent plugin archives. #3417, #3611
+
+### Changed
+- Plugin source is now gzipped. #3392
+- Allowed characters in Agent event tags. #3399, #3676
+- Hard-coded Log4Shell exploiter to a plugin. #3388
+- Hard-coded SSH exploiter to a plugin. #3170
+- Identities and secrets can be associated when configuring credentials in the
+  UI. #3393
+- Hard-coded ransomware payload to a plugin. #3391
+- Text on the registration screen to improve clarity. #1984
 
 ### Fixed
-- A configuration issue that prevents Mimikatz from being used. #3433
+- Agent hanging if plugins do not shut down. #3557
+- WMI exploiter hanging. #3543
+- Discovered network services are displayed in reports. #3000
+
+### Removed
+- Island mode configuration. #3400
+- Agent plugins from Island packages. #3616
+
+### Security
+- Fixed a ReDoS issue when validating ransomware file extensions. #3391
 
+## [2.2.1 - 2023-06-21]
 
+### Fixed
+- A configuration issue that prevents Mimikatz from being used. #3433
 
 ## [2.2.0 - 2023-05-31]
 ### Added
@@ -37,6 +79,7 @@ Changelog](https://keepachangelog.com/en/1.0.0/).
 - Hard-coded PowerShell exploiter to a plugin. #3165
 
 ### Fixed
+- Agents were being caught by Windows Defender (and other antiviruses). #1289
 - Plugins are now being checked for local OS compatibility. #3275
 - A bug that could prevent multi-hop propagation via SMB. #3173
 - Exceptions being raised when WMI and Zerologon are used together. #1774
@@ -45,8 +88,8 @@ Changelog](https://keepachangelog.com/en/1.0.0/).
 - A bug in URL sanitization. #3318
 
 ### Security
-- Fixes a bug where OTPs can be leaked by the hadoop exploiter. #3296
-- Fixes pypykatz leaking sensitive information into the logs. #3168, #3293
+- Fixed a bug where OTPs can be leaked by the hadoop exploiter. #3296
+- Fixed pypykatz leaking sensitive information into the logs. #3168, #3293
 
 ## [2.1.0] - 2023-04-19
 ### Added

build_scripts/appimage/appimage.sh

@@ -2,7 +2,7 @@
 
 # Changes: python version
 LINUXDEPLOY_URL="https://github.com/linuxdeploy/linuxdeploy/releases/download/continuous/linuxdeploy-x86_64.AppImage"
-PYTHON_VERSION="3.11.4"
+PYTHON_VERSION="3.11.5"
 PYTHON_APPIMAGE_URL="https://github.com/niess/python-appimage/releases/download/python3.11/python${PYTHON_VERSION}-cp311-cp311-manylinux2014_x86_64.AppImage"
 APPIMAGE_DIR=$(realpath "$(dirname "${BASH_SOURCE[0]}")")
 APPDIR="$APPIMAGE_DIR/squashfs-root"

build_scripts/appimage/server_config.json.standard

@@ -1,9 +1,6 @@
 {
   "data_dir": "~/.monkey_island",
   "log_level": "DEBUG",
-  "environment": {
-    "server_config": "password"
-  },
   "mongodb": {
         "start_mongodb": true
   }

build_scripts/build_agent_linux.sh

@@ -69,7 +69,7 @@ cd /src/monkey/infection_monkey &&
 "
 
 build_commands="
-pipenv sync &&
+SKIP_CYTHON=1 PIP_NO_BINARY=pydantic pipenv sync &&
 pipenv run bash build_linux.sh &&
 echo 'Copying agent binary to \"${DIST_DIR}\"' &&
 cp dist/monkey-linux-64 /dist

docs/content/FAQ/_index.md

@@ -163,6 +163,8 @@ is sent to the update server to fetch the latest version number and a
 download link for it. This information is used by the Monkey Island to
 suggest an update if one is available.
 
+1. When you install a plugin it is downloaded from our official repository.
+
 ## Logging and how to find logs
 
 ### Downloading logs

docs/content/development/contribute-documentation.md

@@ -9,7 +9,7 @@ tags: ["contribute"]
 The `/docs` folder contains the Infection Monkey Documentation site.
 
 The site is based on [Hugo](https://gohugo.io/) and the [learn](https://themes.gohugo.io/theme/hugo-theme-learn/en) theme.
-The Hugo version being used is 0.92.0.
+The Hugo version being used is [v0.92.0](https://github.com/gohugoio/hugo/releases/tag/v0.92.0).
 
 - [Directory structure](#directory-structure)
   - [content](#content)

docs/content/development/setup-development-environment.md

@@ -8,21 +8,32 @@ tags: ["contribute"]
 
 ## Deployment scripts
 
-To set up a development environment using scripts, look at the readme under [`/deployment_scripts`](https://github.com/guardicore/monkey/blob/develop/deployment_scripts). If you want to set it up manually or run into problems, keep reading.
+To set up a development environment using scripts, look at the readme under [`/deployment_scripts`](https://github.com/guardicore/monkey/blob/master/deployment_scripts). If you want to set it up manually or run into problems, keep reading.
 
 ## The Infection Monkey Agent
 
-The Agent (which we sometimes refer to as the Monkey) is a single Python project under the [`infection_monkey`](https://github.com/guardicore/monkey/blob/master/monkey/infection_monkey) folder. The Infection Monkey Agent was built for Python 3.11. You can get it up and running by setting up a [virtual environment](https://docs.python-guide.org/dev/virtualenvs/) and installing the requirements listed in the [`requirements.txt`](https://github.com/guardicore/monkey/blob/master/monkey/infection_monkey/requirements.txt) inside it.
+The Agent (which we sometimes refer to as the Monkey) is a single Python project under the [`infection_monkey`](https://github.com/guardicore/monkey/blob/master/monkey/infection_monkey) folder. The Infection Monkey Agent was built for Python 3.11. You can get it up and running by using[`pipenv`](https://pypi.org/project/pipenv/).
 
-In order to compile the Infection Monkey for distribution by the Monkey Island, you'll need to run the instructions listed in the [`readme.txt`](https://github.com/guardicore/monkey/blob/master/monkey/infection_monkey/readme.txt) on each supported environment.
+Follow these steps to install the requirements-
+
+- Create and activate your virtual environment
+- Run
+```bash
+    pip install -U pip
+    pip install pipenv
+```
+- Do a `find` to find all files named 'Pipfile'
+- For each `Pipfile`, cd to that directory and run `pipenv sync`
+
+In order to compile the Infection Monkey for distribution by the Monkey Island, you'll need to run the instructions listed in the [`readme.txt`](https://github.com/guardicore/monkey/tree/master/monkey/infection_monkey) on each supported environment.
 
 This means setting up an environment with Linux 64-bit with Python installed and a Windows 64-bit machine with developer tools, along with 64-bit Python versions.
 
 ## The Monkey Island
 
-The Monkey Island is a Python backend React frontend project. Similar to the Agent, the backend's requirements are listed in the matching [`requirements.txt`](https://github.com/guardicore/monkey/blob/master/monkey/monkey_island/requirements.txt).
+The Monkey Island is a Python backend React frontend project. Similar to the Agent, the backend can be installed similar to `infection_monkey`.
 
-To setup a working front environment, run the instructions listed in the [`readme.txt`](https://github.com/guardicore/monkey/blob/master/monkey/monkey_island/readme.txt)
+To setup a working front environment, run the instructions listed in the [`readme.txt`](https://github.com/guardicore/monkey/blob/master/monkey/monkey_island/readme.md)
 
 ## Pre-commit
 

docs/content/reference/credentials_collectors/_index.md

@@ -0,0 +1,15 @@
+---
+title: "Credentials Collectors"
+date: 2023-09-13T16:35:19+05:30
+weight: 100
+chapter: true
+pre: '<i class="fas fa-key"></i> '
+tags: ["reference", "credentials collectors"]
+---
+
+
+# Credentials Collectors
+
+Infection Monkey has multiple ways to steal credentials from compromised machines:
+
+{{% children %}}

docs/content/reference/credentials_collectors/chrome.md

@@ -0,0 +1,12 @@
+---
+title: "Chrome"
+date: 2023-09-13T16:35:11+05:30
+tags: ["credentials collector", "chrome", "linux", "windows"]
+weight: 1
+---
+
+## Description
+
+The Chrome Credentials Collector steals saved credentials from Chrome-based browsers.
+On Linux, it targets Google Chrome and Chromium. On Windows, it targets Google Chrome
+and Microsoft Edge.

docs/content/reference/credentials_collectors/mimikatz.md

@@ -0,0 +1,12 @@
+---
+title: "Mimikatz"
+date: 2023-09-13T16:51:44+05:30
+tags: ["credentials collector", "mimikatz", "windows"]
+weight: 2
+---
+
+## Description
+
+The Mimikatz Credentials Collector uses [pypykatz](https://github.com/skelsec/pypykatz)
+(a pure-Python implementation of [mimikatz](https://github.com/gentilkiwi/mimikatz))
+to steal credentials from Windows Credential Manager.

docs/content/reference/credentials_collectors/ssh.md

@@ -0,0 +1,14 @@
+---
+title: "SSH"
+date: 2023-09-13T16:51:38+05:30
+tags: ["credentials collector", "ssh", "linux"]
+weight: 3
+---
+
+## Description
+
+The SSH Credentials Collector steals SSH keys from Linux users.
+
+For all users on the system, it locates the `/home/<user>/.ssh`
+directory and steals keypairs from it. The supported private key
+encryption formats are RSA, DSA, EC, and ECDSA.

docs/content/reference/exploiters/RDP.md

@@ -0,0 +1,39 @@
+---
+title: "RDP"
+date: 2023-08-08T13:29:21+03:00
+draft: false
+tags: ["exploit", "windows"]
+---
+
+### Description
+
+This exploiter uses brute force to propagate through the network via Remote
+Desktop Protocol (RDP). For more information about RDP, see [Microsoft's
+documentation](https://learn.microsoft.com/en-us/windows/win32/termserv/remote-desktop-protocol).
+
+
+#### Credentials used
+
+The RDP exploiter can be run from both Linux and Windows attackers and will
+use configured or stolen credentials to propagate. Different combinations of
+credentials are attempted in the following order:
+
+1. **Brute force usernames and passwords** - The exploiter will attempt to use
+   all combinations of usernames and passwords that were set in the
+   [configuration]({{< ref "/usage/configuration/credentials" >}}) or stolen by
+   a credentials collector.
+
+
+1. **Brute force usernames and NT hashes** - The exploiter will attempt to use
+   all combinations of usernames and NT Hashes that were set in the [configuration]({{< ref
+   "/usage/configuration/credentials" >}}) or stolen by a credentials collector.
+
+   This only works on Windows 8.1 and Windows Server 2012 R2. You can read more
+   [here](https://www.kali.org/blog/passing-hash-remote-desktop/).
+
+
+#### Securing Remote Desktop Protocol
+
+For information about remediating RDP-related security risks, see
+[Microsoft's
+guidance](https://www.microsoft.com/en-us/security/blog/2020/04/16/security-guidance-remote-desktop-adoption/).

docs/content/reports/ransomware.md

@@ -7,13 +7,12 @@ description: "Provides information about ransomware simulation on your network"
 ---
 
 {{% notice info %}}
-Check out [the Infection Monkey's ransomware simulation documentation]({{< ref
-"/usage/scenarios/ransomware-simulation" >}}) and [the documentation for other
+Check out [the documentation for other
 available reports]({{< ref "/reports" >}}).
 {{% /notice %}}
 
 The Infection Monkey can be configured to [simulate a ransomware
-attack](/usage/scenarios/ransomware-simulation) on your network. After running,
+attack](/usage/ransomware-simulation) on your network. After running,
 it generates a **Ransomware Report** that provides you with insight into how
 ransomware might behave within your environment.
 

docs/content/reports/security.md

@@ -10,9 +10,7 @@ description: "Provides actionable recommendations and insight into an attacker's
 Check out [the documentation for other reports available in the Infection Monkey]({{< ref "/reports" >}}).
 {{% /notice %}}
 
-The Infection Monkey's **Security Report** provides you with actionable recommendations and insight into an attacker's view of your network. You can download a PDF of an example report here:
-
-{{%attachments title="Download the PDF" pattern=".*(pdf)"/%}}
+The Infection Monkey's **Security Report** provides you with actionable recommendations and insight into an attacker's view of your network.
 
 The report is split into the following categories:
 

docs/content/setup/aws.md

@@ -26,6 +26,8 @@ When ready, you can browse to the Infection Monkey running on the fresh deployme
 
 To login to the machine, use *ubuntu* username.
 
+Once you have access to the Monkey Island server, check out the [getting started page]({{< ref "/usage/getting-started" >}}).
+
 ## Integration with AWS services
 
 The Infection Monkey has built-in integrations with AWS that allows running Agents on EC2 instances.

docs/content/setup/azure.md

@@ -28,6 +28,8 @@ you can browse to the Infection Monkey running on your fresh deployment at:
 
 `https://{public-ip-address}:5000`
 
+Once you have access to the Monkey Island server, check out the [getting started page]({{< ref "/usage/getting-started" >}}).
+
 ## Upgrading
 
 Currently, there's no "upgrade-in-place" option when a new version is released.

docs/content/setup/docker.md

@@ -65,6 +65,8 @@ been signed by a private certificate authority.
 
 After the Monkey Island docker container starts, you can access Monkey Island by pointing your browser at `https://localhost:5000`.
 
+Once you have access to the Monkey Island server, check out the [getting started page]({{< ref "/usage/getting-started" >}}).
+
 ## Configuring the server
 
 You can configure the server by mounting a volume and specifying a

docs/content/setup/linux.md

@@ -29,11 +29,11 @@ On Windows, AppImage can be run in WSL 2.
 
 1. Make the AppImage package executable:
     ```bash
-    chmod u+x InfectionMonkey-v2.2.0.AppImage
+    chmod u+x InfectionMonkey-v2.3.0.AppImage
     ```
 1. Start Monkey Island by running the Infection Monkey AppImage package:
     ```bash
-    ./InfectionMonkey-v2.2.0.AppImage
+    ./InfectionMonkey-v2.3.0.AppImage
     ```
 
    If you get errors related to FUSE, you may need to install FUSE 2.X first:
@@ -43,7 +43,8 @@ On Windows, AppImage can be run in WSL 2.
    ```
    More information about fixing FUSE-related errors can be found [here](https://docs.appimage.org/user-guide/troubleshooting/fuse.html).
 1. Access the Monkey Island web UI by pointing your browser at
-   `https://localhost:5000`.
+   `https://localhost:5000`. Once you have access to the Monkey Island server, check out the
+[getting started page]({{< ref "/usage/getting-started" >}}).
 
 {{% notice info %}}
 If you're prompted to delete your data directory and you're not sure what to
@@ -58,12 +59,12 @@ The Infection Monkey can be installed as a service and run on boot by running th
 with the following parameters. This requires root permissions, so run `sudo -v` and enter your
 password before running the script, if required.
 ```bash
-./InfectionMonkey-v2.2.0.AppImage service --install --user <USERNAME>
+./InfectionMonkey-v2.3.0.AppImage service --install --user <USERNAME>
 ```
 
 To uninstall it, run:
 ```bash
-./InfectionMonkey-v2.2.0.AppImage service --uninstall
+./InfectionMonkey-v2.3.0.AppImage service --uninstall
 ```
 
 {{% notice info %}}
@@ -77,7 +78,7 @@ You can configure the server by creating
 a [server configuration file](../../reference/server_configuration) and
 providing a path to it via command line parameters:
 
-`./InfectionMonkey-v2.2.0.AppImage --server-config="/path/to/server_config.json"`
+`./InfectionMonkey-v2.3.0.AppImage --server-config="/path/to/server_config.json"`
 
 ### Start Monkey Island with user-provided certificate
 
@@ -113,7 +114,7 @@ The server configuration file should look something like:
 
 1. Start Monkey Island by running the Infection Monkey AppImage package:
     ```bash
-    ./InfectionMonkey-v2.2.0.AppImage --server-config="/path/to/server_config.json"
+    ./InfectionMonkey-v2.3.0.AppImage --server-config="/path/to/server_config.json"
     ```
 
 1. Access the Monkey Island web UI by pointing your browser at
@@ -134,7 +135,7 @@ The server configuration file should look something like:
 
 1. Start Monkey Island by running the Infection Monkey AppImage package:
     ```bash
-    ./InfectionMonkey-v2.2.0.AppImage --server-config="/path/to/server_config.json"
+    ./InfectionMonkey-v2.3.0.AppImage --server-config="/path/to/server_config.json"
     ```
 
 1. Access the Monkey Island web UI by pointing your browser at

docs/content/setup/windows.md

@@ -27,7 +27,9 @@ do, see the [FAQ]({{< ref
 "/faq/#i-updated-to-a-new-version-of-the-infection-monkey-and-im-being-asked-to-delete-my-existing-data-directory-why"
 >}}) for more information.
 {{% /notice %}}
->
+
+Once you have access to the Monkey Island server, check out the [getting started page]({{< ref "/usage/getting-started" >}}).
+
 ## Configuring the server
 
 You can configure the server by editing [the configuration